I'm testing a friend's website running on Amazon's EC2 servers. He put in a request to allow me to test it next week. The terms are pretty standard, don't DoS the servers. I'm planning on running Nessus (regular server scan and web app scan), Nikto and BurpSuite Scanner on the site. Is there anything I should know, settings I should change in the scans before I start?

Go through the Nessus plugins and make sure you are running safe scans. Maybe disable some of the plugins that won't be needed (don't run Oracle plugins if no Oracle service is running). Will you be running an authenticated scan?

Thanks, I was planning on doing both. Running a server scan without credentials (External IP Scan), and then a web app scan with credentials. I will have safe scans enabled. If I have all the plugins enabled, safe scan will ensure that the non-safe ones aren't run right? The server is run through a PaaS provider, so my friend isn't sure about all the services running so I want to be thorough.

I've never run a scan on a live, external server before, so I'm just trying to be cautious. I kind of wish I had an external server to test the scans on first, but oh well.

Although the safe scans are supposed to be "safe" there are some plugins that can cause undesired results. A good example is when you scan a network with all plugins enabled and you hit a bunch of network printers. The scan requests caused them to print reams of garbage. Not that I ever did that. But I heard about it from a friend Now Nessus has a checkbox in the policy to skip "sensitive" devices.

To find the web app vulns you may want to utilize something like Nikto or Burp suite.